Re: OT: Tenet Calls to Limit Internet Access

[Guest guest]

Parrish S. Knight wrote:

>

> There's a bit of a difference. Postal mail costs the sender money. Email

> costs the recipient money. Email is, essentially, mail sent postage

> due without the option of declining receipt.

>

>

>> It is really scary to think that people would want the government

regulating

>> to whom they can forward email, and under which conditions.

>>

>

> Like I said, I'm not crazy about the idea, either, but I'm getting really

> tired of having the email accounts that I pay for rendered increasingly

> useless by other people's malice and/or incompetence. Yes, there

> are spam filters and rules and so on that I can use to bring

> everything under control, but the point is, I shouldn't *have* to,

> there's no such thing as " irresponsible radio listening " that can

> cause tremendous harm to others.

During the first or second world war (not sure which one it was) the

Canadian government thought so. Radio receivers had to be licenced at

that time.

> uninformed users have come to pose such a problem for the Internet

> at large that I'm really beginning to wonder how else to fix the

> problem.

It is not uninformed users that cause harm to the internet, it is the

highly skilled hackers that do all the harm. Uninformed users only harm

their own equipment.

> the average time it takes for an unfirewalled Windows machine to get

> " owned " once it's connected to the 'Net is now down to about

> *twenty minutes*.

>

What a pile of bull. I have a firewall, it has never yet had to take

action to stop an attack. I get an average of about 2 pieces of spam a

month and it has been several months since the last time I saw a virus

attempt to invade my machine. In over 6 years on the internet there has

never been a successful attack on my computer.

> There's an old saying that your right to swing your fist ends at my

face...

> well, in this case, I'd say that your right to be irresponsible

> with your computer ends at my router.

That's what routers (firewalls) are for.

Red

[Guest guest]

>> In any event, I shouldn't be spending time on this... I'm about

>> to become homeless (or worse), so I've got to keep my priorities

>> straight.  If you want to post a reply and have the last word,

>> please feel free to do so -- I'd actually like to continue this

>> discussion, but I can't.

>

> I would too, as I find it interesting to mix two perseverations--

> my libertarian ethos and computers

So do I. Unfortunately, as I said, I can't respond to this, much as I would

like to. I have far more pressing concerns right now, and I shouldn't have even

gotten into it in the first place. I'm actually in serious jeopardy about a lot

of things in a lot of ways, and under such circumstances, academic debates have

to be a low priority.

[Guest guest]

> " Access to networks like the World Wide Web might need to be limited

> to those who can show they take security seriously, he said. "

Let's translate that from politician speak to technical speak:

ISPs should limit connectivity by obviously insecure organizations to the

internet. Tenent is clearly not a technical person. He is *STILL* not

speaking about personal computers.

I happen to agree.

--

[Guest guest]

> So once again, it is the fault of the victim for not doing enough to stop the

> virus, not the person who wrote it.

We have a law here called " fire code " . Personally, I think fire code very

well might still fit into a libertarian philosophy since my violation of

it may cost my neighbor his life!

Let's say I stack up a pile of firewood between my trailer and his,

placing it much too close to either trailer (I believe it has to be 10

feet from any structure where I live). Let's say some kid launches a

bottle rocket which lands in the wood and sets it on fire (not too far out

there since I have kids launching fireworks at my woodpile all the time).

Now, I didn't burn down our trailers. But my actions did contribute to my

neighbor losing his, and I am liable in part (yes, civil issue). If he is

seriously injured, or the damage is great enough, I may be criminally

responsible in part. And I can certainly be prosecuted for violation of

fire code. Fire code is technically a civil matter in most instances, but

the government is the other party...

We need the equivalent of a fire code on the internet. I do agree with

that. I think if your computer is used by an attacker to attack mine, I

should be able to recover something from you. Sure, this isn't perfect,

but money is one of the few ways that get people's attention in this day

and age. When grandma gets fined $250 for having a menace to others - a

vulnerable computer actively attacking others - then she'll actually hire

someone who can secure it.

> That is totally irrelevant. A person has a right to ride a motorcycle,

> helmetless or not. He has the right to drive a car without airbags. He has

the

> right not to wear a seat belt. He has a right to drive a car without

anti-lock

> brakes. Your insurance going up is not justification to regulate his

freedoms.

> He should not be forced to wear a seat belt to lower YOUR premiums. What

> gives yout the right to tell him that he should?

Do I have the right to not pay his medical bills when he gets injured? Or

the right to not pay for his children to be raised when he is unable to do

that? The problem is that actions *do* affect other people.

How about the right to not belt his child into a car seat?

> People have sovereignty over their bodies and their properties

Only when it doesn't cause serious harm to others, yes they should. And

if they are polite, yes.

> Not by getting the government involved in making more laws. We have laws on

the

> books that are sufficient to get the people that misuse the internet... we

don't

> need more. (Sound like something that your RKBA compatriots have said?

They're

> right. The answer is more prosecutions of the bad guys, not criminalizing

more

> things). The US government can put pressure on the other countries to crack

> down on computer criminals in other countries. Authorities in the Czech

> Republic and Russia have just been in the news for cracking down on the 29A

> hacker group for vx coding.

The problem with this is that there will *always* be one country that

doesn't cooperate. Or a country which is actually sponsoring it. I do

support cracking down on the people writing these things in the first

place.

Of course we also get " what is an appropriate punishment? " A fine? How

much? What if someone dies as a result? Is that murder? But it wasn't

intentional and not readily foreseeable - there was no intent.

> As for computer security-- educating Microsoft will go a long way, and it has.

> Sally Schmoe can't be expected to know that her computer is at risk when she

> signs onto the internet with her machine equipped with Windows 98, and billed

as

> " internet ready. " But Microsoft should have known that their OS was

> horrendously insecure, and that a compromised machine can be used for anything

> from spreading worms to running a bot used in a DDoS attack against a third

> party. Now that internet security has become a real problem, social pressure

> has caused Microsoft to begin taking security seriously-- now the XP firewall

is

> on by default in Windows XP, and the reminders all over the place to make sure

> it is enabled are as annoying as hell to those of us that use solutions that

are

> far better than the rudimentary firewall MS uses.

Let me add here that the 3rd most common worm I see at my network border

is an Apache/Linux worm. Windows isn't the only one at fault.

And the reason Windows machines don't get placed behind firewalls is the

fault of people like EAGames and KaZaA. They write applications that

require more then just sticking the computer behind the hardware firewall

to make them work - ports must be opened, which is beyond the ability of

most people. UPNP was actually a good step in the write direction - only

one problem, no one thought it was a good idea so it is either turned off

or unimplemented.

> And, yes, I am in favor of the court decision that spam is not

constitutionally

> protected speech. This means that ISPs and corporations (and end users) have

> the legal grounds to sue spammers. There is no doubt that spam uses up

> bandwidth, and bandwidth is not free. All this means is that a weak defense

by

> the spammers has been defeated-- spamming is, and always has been, a tort.

Of course an email to the president that I dislike his policies also takes

up bandwidth...

Personally, for spammers, I think most reputable businesses won't do it

because of social pressure. That's working fine. It's the reputable

ones that have a problem. We simply need to prosecute then using existing

laws against fraudulent marketing (selling unlicensed or inappropriately

channeled medical products is not legal; nor is the Nigerian scheme; In

fact, the only things I may have recently got as far as spam which were

legal were mortgage vendors).

> If you licensed internet use in the US, and if we presume that spamming were

> effectively stopped (which is a big assumption), and we further presume that

> unprotected users outside of the US cease to exist, you would be providing

that

> much more incentive for crackers to find exploits in protected systems.

Surely

> you know that when it comes to a commercial firewall installed by an average

> user vs. a skilled cracker, the cracker wins. Firewalls work pretty well now

> because the miscreants can just move on to a more easily compromised system.

Actually, I disagree on that. I would put a Linksys NAT device installed

by the average user up against a firewall installed by any government

security team for a military installation. Believe it or not, these basic

firewalls don't have much to exploit. Sure, someone might find a way, but

> Home networks are growing in popularity, especially the wireless

> variety. Adding a NAT router to the average computer adds a significant

> layer of security (although too many routers still respond to packets

> sent to IDENT/113). If we could get more people to delete Outlook

> Express, including the Windows Address book, and to block Internet

> Explorer from accessing the net, that would help too.

So you are not willing to blame end-users but you *ARE* willing to blame

Microsoft? Doesn't sound very libertarian to me! You are *STILL* blaming

the victim, just a different one then Parish.

There was a major Mozilla exploit a few weeks ago in the most current

version of Mozilla. Opera had a major exploit (2 actually) released in

the last few days. IE has not had a major exploit in the current version

for several months at least. I've been using IE for web browsing for

nearly 10 years. I go to *A LOT* of sites. I've YET to get a virus by

browsing the web (in fact, the only viruses I " get " on my computer have

been ones emailed to me and caught by my virus scan).

The only computer I've ever had that got " hacked " that I was responsible

for was a Unix (FreeBSD) server. When people see network security as a

Microsoft problem, we do have a problem. Sure, there are Microsoft

Problems, but there are also Opera, Mozilla, Linux, FreeBSD, MacOS, etc,

problems.

Let me give you another problem: I've been working on OS390 (IBM zOS -

mainframe stuff) problems just recently. OS390's SMTP system does not

provide any sort of ability to limit ability to relay through it, for

instance - none. It just isn't possible. Tough shit, according to IBM.

And double-tough-shit that the mainframe security software only allows 8

character maximum passwords and is case insensitive. That means it takes

1/50th the number of password guesses to guess a mainframe password as to

guess a Windows mixed-case password (about 1.8% of the guesses, actually)

- and of course it gets much less very quickly if the Windows machine uses

longer passwords.

> Another way to work on the problem is to convince ISPs to do their part. If

> they filtered outbound packets to make sure that the IP address they say they

> are from is accurate, a lot of the problem would go away. ISPs could use

> heuristics to determine if a given connection is possibly being used to send

> spam, and they can investigate and act to stop it (since most ISPs have ToS

that

> ban spam).

Yes, I agree. Although a common carrier is not allowed to do the kind of

heuristics you mention, and for good reason. Some ISPs consider

themselves common carriers, some don't, but I think all should be. I

don't think business is a better guardian of liberty then the government

is. Would you support a large state network that connects, say, public

libraries, from installing black box heuristic analyzers on those

networks? Even if the black box was actually run by the ISP? A solution

to the Spam problem that ISPs *can* implement is to block all inbound and

the outbound port 25 activity not going to one of the ISP's mail servers.

When it is not economical to send spam, it'll stop. Right now, someone

else is paying for the spammer's bandwidth (Aunt with her

compromised Windows machine).

--

[Guest guest]

At 11:03 AM 12/5/2004, babbled happily:

>Let me add here that the 3rd most common worm I see at my network border

>is an Apache/Linux worm. Windows isn't the only one at fault.

THANK YOU .

There's a very simple reason that the varying flavors of 'nix don't have as

many viruses. It's because the average 'nix administrator is *highly*

experienced, well-educated and comfortable with complexity, and generally

very security savvy.

Let RedHat and clones keep dumbing it down to attract more average users

and you'll see security holes that make Windows look like an oasis of

safety. Worse, 'nix users overall are, I think, *more* vulnerable because

most of them think " I'm using 'nix, so I'm secure. "

Most people getting viruses are getting them because of a lack of

education--do you think the kind of person who can't be bothered to learn

about anti-virus is really going to care for the learning curve of a 'nix

OS? Puhlease.

I want to write a viral anti-virus

>There was a major Mozilla exploit a few weeks ago in the most current

>version of Mozilla. Opera had a major exploit (2 actually) released in

>the last few days. IE has not had a major exploit in the current version

>for several months at least. I've been using IE for web browsing for

>nearly 10 years. I go to *A LOT* of sites. I've YET to get a virus by

>browsing the web (in fact, the only viruses I " get " on my computer have

>been ones emailed to me and caught by my virus scan).

Again, THANK YOU . I have to laugh--that mozilla exploit was pretty

bad, and yet, even though their share of the market is increasing, hardly

anyone had heard anything about it. Microsoft at least makes sure they get

the word out, and most of the time, when you hear about some virus using an

exploit, the patch has been out for months.

To hear a lot of people talk, you would think that patches are bad. That's

an attitude that needs adjusting.

Patches are to cover situations that the original designers had *no* way of

anticipating.

I doubt that Mozilla thought that there could possibly be an exploit hidden

in the fact that their browsers are stickler for correct web page code.

Surprise! Recently they found out otherwise. Internet Explorer, which is

far more forgiving of minor errors and will " fill in the blanks " itself,

was unaffected.

Another *BIG* mess that got next to no media attention was the MySQL

injection hack.

MySQL is a type of database that is used on *guess what?* Unix servers. And

there is a *simple* way to hack in. The only protection against it is good

coding practices, I haven't yet heard of a MySQL version that isn't

vulnerable. And yet MySQL is viewed as an easy database for the beginning

coder. Who is most likely to have bad coding practices, d'you think? Hmm?

To briefly address another point raised in this thread, someone said that

the average time for a Windows machine to be compromised is twenty minutes.

The key there is " unsecured " . I personally think that, on a new install,

Windows ought to block all services except for the connection to the

Microsoft servers as the latest patches are downloaded, and I think it

shouldn't be an option not to do it.

I personally just install my firewall immediately before doing patches, and

I haven't been compromised. Of course... I fit the average 'nix user

profile, so I know how to harden my machine even on a Windows OS, and there

you go--I'm educated and thus less vulnerable.

I'm sure if someone was *really* determined, they could get in, but I know

enough to be not be affected by the average script kiddy.

The point I'm making is don't assume because you aren't running Windows,

you are safe--you aren't, as so clearly illustrated. The only solution

is education, no matter what the OS flavor of the month.

Z

" What are we going to do tonight, Brain? "

" The same thing we do every night, Pinky. We're going to try to take over

the world!! " ---Pinky and the Brain

Visit me at <www.zolaweb.com>!

ICQ#2048151

[Guest guest]

>> uninformed users have come to pose such a problem for the

>> Internet at large that I'm really beginning to wonder how else to

>> fix the problem.

>

> It is not uninformed users that cause harm to the internet, it is

> the highly skilled hackers that do all the harm. Uninformed users

> only harm their own equipment.

Actually, it's both. The uninformed users facilitate most of what the hackers

do.

>

>> the average time it takes for an unfirewalled Windows machine to

>> get " owned " once it's connected to the 'Net is now down to about *

>> twenty minutes*.

>>

> What a pile of bull.

{snip}

*sigh* I assure you that what I'm saying is true, Red. I'm an industry

professional and read a good number of industry periodicals and newsletters each

week, and I've read quite a few studies on this. When an unfirewalled Windows

computer is connected directly to the Internet (that is, without NAT), it is

typically compromised in a matter of minutes. That is not " bull " ; it is

laboratory-verified fact. Please do some Google searches if you doubt this.

I'd do it myself, but I have neither the inclination nor the time.

--

Homemade scented candles to bring warmth and fragrance to your home... Knight

Scents

http://www.knightscents.biz

[Guest guest]

> Let RedHat and clones keep dumbing it down to attract more average users

> and you'll see security holes that make Windows look like an oasis of

> safety. Worse, 'nix users overall are, I think, *more* vulnerable because

> most of them think " I'm using 'nix, so I'm secure. "

Agreed. I've also seen incredibly bad system engineering practices come

from the assumption that " Linux is secure. "

For instance, a server that contains the customer database (often with

credit card information) combined with being the company mail server and

web server. It's clearly engineering best practice to separate web and

database. Yet I see plenty of Unix people fail to do that. And later I

see my credit card get compromised because someone thought Linux was

secure. I've lost count of the number of friends I know who run Linux and

SSH into it remotely from untrustworthy machines, such as machines on

campus, at a trade show, an internet cafe, or less-skilled friends'

machines. There is more to security then how many viruses exist for your

platform.

> Patches are to cover situations that the original designers had *no* way of

> anticipating.

Or where the developers just happen to be human. I consider myself a

fairly good programmer. I just recently made a major screw up in a piece

of software I wrote, one which completely allowed the user to bypass the

security. My problem was I assumed that the back end system I

authenticated against provided error messages by raising a faultstring

message. Well, they upgraded their middle-ware on that machine and all of

a sudden it provided error messages in the return code, which I

interpreted as " oh, non-zero return code, valid login. " I should have

done " oh, not a value of '1', invalid login " , but until the middleware was

upgraded, my code was perfectly secure. Real life is a lot more

complicated then " don't allow buffer overflows. "

> Another *BIG* mess that got next to no media attention was the MySQL

> injection hack.

I've been complaining about this for years. I would say 90% of custom web

software I look at has *some* sort of injection attack. I wouldn't blame

MySQL for this - it executes the SQL sent to it, as it should. It's a

problem of very bad programming practice - SQL has no business being

dynamically constructed in 99% of the cases where it is dynamically

constructed. There are also Oracle, MSSQL, Sybase, DB2, etc, injection

attacks - same problem. Of course it is easier to mitigate on these other

platforms (they have better stored procedure environments)... And

Microsoft has actually released an ISAPI filter which blocks many

injection attacks (not all, though - it isn't perfect and isn't a

substitute for good programming practices). I have yet to see Linux try

something similar. I think the reason is that Linux programmers assume

that programmers using the Microsoft platform are just stupid and don't

know what they are doing, while they themselves are great programmers...

Not very reassuring.

I will say that the organization I work for has run Windows web servers

for years (at least 5). We've never had a web site defacement in the

centrally managed servers. We've had non-centrally managed servers

running both Linux/Unix and running Windows compromised, however. Of

course the more experienced IT people are working for the central shop, so

that isn't too much of a surprise.

I think a lot of the security talk today is addressing the wrong problem -

it addresses flaws in end-user software, which certainly need to be

addressed, but fail to address secure architectural processes. Where I

work, a compromise of a web server would not compromise any data that

wasn't in transit through the server during the time the hacker was on the

box. Thus, the hacker *could* get credit card numbers of users who enter

the number while the compromise exists, but not the other 100,000 or so

people in the database nor for anyone who uses a credit card already on

file. And we made the assumption that the hacker would have full

administrative access to the web server, every single password that is

stored on the server (including passwords to the next tier, which *isn't*

a set of database servers in our environment), etc. We also assumed they

were a competent programmer who had full access to our source code.

Rather then preventing an attack, which is probably impossible, we

concentrated on containing the attack and making the hacker have to

compromise several systems and get through several firewalls before he

would have access to the personal data. Still not impossible, but it is

nice to know that if my programmers screwed up on the front end website,

my personal data is still fairly secure.

But this type of architecture is not common. It's especially not common

in the LAMP (Linux/Apache/MySQL/Perl-or-PHP) environment - there isn't a

middle tier in the LAMP environment, typically no way to protect the data

from a compromise of the web server. If someone has root access to the

web server, even if it isn't the same box as the database server, there

will typically be a password on the webserver in some text file

(if we are lucky, it is encrypted so the hacker will either have

to modify the program which knows how to decrypt it or will have

to read the code to decrypt it - or even just watch as it is sent

across the network) somewhere that allows him full access to the

database's data. Too many people, Linux people in particular, focus on

protecting the operating system and computer system, but forget about the

data itself.

Another Linux flaw, in libc a while ago, allowed a user to rlogin to a

machine without having been granted access. The rlogin programmer had no

way of knowing someone would modify the library his program depended upon

- when he tested rlogin on an older library, it worked fine. And his code

was secure. And so was libc *at that time*. But they screwed up during a

" minor " change and rendered rlogin insecure. That kind of thing happens

in Linux where everyone has access to everyone else's code. There's no

magic bullet for security. (this bug was very similar to the bug in my

authentication system)

--